Last week, the company announced attackers compromised Passwordstate’s update mechanism and delivered info-stealing Moserpass malware to an undisclosed number of users.
However, the company issued a new advisory today, saying that emails received from Click Studios were copied by the threat actors and distributed in follow-up phishing campaigns. Emails mimic the company’s earlier correspondence with impacted users but instead of giving security advice, they deliver a new Moserpass variant.
Click Studios advises its user to abstain from sharing any info related to the attacks on social media not to tip off the attackers.
“It is expected the bad actor is actively monitoring social media for information on the compromise and exploit,” Click Studios said today. “It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content.”
In the follow-up phishing attacks attempting to infect more Passwordstate customers, criminals have reportedly targeted only some Click Studios customers.
The company advises its users “to stay vigilant and ensure the validity of any email” they might receive. “If you are unsure if an email is from us, send it to Technical Support as an attachment, for confirmation,” Click Studios added.
The Moserpass malware collects and exfiltrates system information and passwords stolen from Passwordstate’s database, including such fields as Computer Name, User Name, Domain Name, Current Process Name, Current Process Id, display name and status, Passwordstate instance’s Proxy Server Address, Username and Password, All running Processes names and ID, All running services names; Title, UserName, Description, GenericField1, GenericField2, GenericField3, Notes, URL, Password.
Click Studios urged all Passwordstate users who have installed a malicious upgrade to reset all passwords.